Microsoft Launches Bounty Program To Fix Security Flaws

By | June 21, 2013

Posted in: Network Security Trends

Microsoft this week announced that it would for the first time pay cash rewards directly to hackers who can demonstrate vulnerabilities in Windows and Internet Explorer – with “truly novel” techniques earning a possible $150,000.

Katie Moussouris, a senior security strategist at the software giant, said the bounties were a continuation of the company’s “dialog with the research community to further the common goal of protecting customers.”

“This philosophy is reflected in a new strategy designed to increase protections through outreach in the security community,” Moussouris said.

“The new programs are critical components in delivering this strategy. Other programs focused on detection and protection will follow soon... [We are] calling upon the clever hackers of the world to work with us on strengthening our platform-wide defenses.”

Moussouris called the program “an inflection point” for Microsoft and the security industry. “For the first time ever, Microsoft is offering direct cash payouts in exchange for reporting certain types of vulnerabilities and exploitation techniques. We are making this shift in order to learn about these issues earlier and to increase the win-win between Microsoft’s customers and the security researcher community.”

The rewards offered include a “mitigation bypass bounty” of $100,000 for “truly novel exploitation techniques” against protections built into Windows 8.1 Preview. “Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of one vulnerability at a time. This is an ongoing program and not tied to any event or contest,” Moussouris said. Submissions that include a defense against the technique will qualify for up to $50,000 more.

Microsoft will also, for one month from Wednesday June 26, pay up to $11,000 for critical vulnerabilities that affect IE 11 Preview on Windows 8.1 Preview.

“The IE 11 Preview Bug Bounty is a way for Microsoft to provide incentives for the researcher community to come forward with their vulnerability reports directly and privately to us,” Moussouris said. “The timing for our IE 11 Preview Bug Bounty allows for the vulnerability reports to arrive before the software is widely deployed by customers.”

In a separate blog, Microsoft’s security and defense center said a good mitigation bypass submission would demonstrate a way of  exploiting one or more memory corruption vulnerability classes when all modern mitigations are in place – for example data execution prevention and address space layout randomization.

“For a submission to eligible, it must include a detailed whitepaper and a functioning exploit which demonstrates the exploitation technique against a real world remote code execution vulnerability,” the blog post said.

“The technique must also meet a high bar: it must be generic and reliable, it must have reasonable requirements, it must apply to a high-risk user mode application domain, and it must be applicable to the latest version of our products.”

It said an example of an exploitation technique that would have qualified for the mitigation bypass bounty program was JIT spraying, a technique publicly described for the first time in 2010 by Dionysus Blazakis.

“It outlined a method of leveraging a Just-In-Time compiler to generate large amounts of partially controlled instructions that could enable alternative instruction streams if executed at a misaligned offset,” the Microsoft blog said.  “As a result, an attacker can implicitly bypass DEP and ASLR and thereby more easily exploit many classes of memory corruption vulnerabilities.  In response to this exploitation technique, multiple software vendors have released JIT compilers that include built-in mitigations for JIT spraying.”

You May Also Be Interested In: